JOSE WG minutes (24 March 2015, 1730-1830 CDT (2230-2330 UTC)) The meeting was chaired by Jim Schaad and Karen ODonoghue. Minutes were taken by Peter Yee, and Joe Hildebrand agreed to relay from the jabber chat room. The Note Well was presented, and the agenda and admin slides are referenced below: www.ietf.org/proceedings/92/agenda/agenda-92-jose www.ietf.org/proceedings/92/slides/slides-92-jose-1.pdf The JOSE WG is trying to close down, its charter deliverables having been essentially completed. The core documents are with the RFC editor. The cookbook draft is waiting for the core drafts as references. Schaad believes the drafts will be in AUTH48 state next month. There is one outstanding issue with respect to the thumbprint draft. Will the thumbprint draft be Standards Track or Informational? Matt Miller indicates he is fine with Informational despite the presence of RFC 2119 language in the document. Mike Jones noted that there is another document that could make a normative reference to this document, although the publication status probably does not matter. COSE Overview Jim Schaad (August Cellars) Slides and drafts: www.ietf.org/proceedings/92/slides/slides-92-jose-0.pdf draft-schaad-cose-00 draft-bormann-jose-cose-00 COSE would use large parts of the JOSE world, but it would not be completely compatible. Specifically, COSE would not be cryptographically compatible ? a document in one form can not be cryptographically converted to the other. CBOR idioms would be used. Reuse of the JOSE algorithm registry would make sense through additions; the header parameter registry can also be reused; basic paradigms such as the structure of things will also be similar. Carsten Bormann produced a first shot at this, replacing base64 with binary encoding, CBOR in place of JSON. A few other changes: use integers instead of text strings for keys (a CBOR optimization when there are few keys); use of arrays instead of periods for encoding. Schaad?s shot at COSE is similar, but replaces some maps with arrays, separates MAC and Signature, adds recipient management for MAC, and uses the same structure for encrypted bodies and recipients. Samples of each appear similar visually. Doing a size comparison, both schemes produce substantially smaller encodings compared with their JOSE equivalents. Schaad suggests that for COSE, arrays make sense in place of maps for some uses ? only the recipient case is less efficient as an array vs. a map. (Arrays cost extra bytes for empty places, maps cost extra bytes for extant places.) Integers on the left hand side of a map are a win. Using them on the right hand side for things like algorithm names would be a big win. Joe Hildebrand suggests that we should profile what parts of CBOR are needed for COSE. He is not sure he wants to include tags in the profile, for example, but he could find them acceptable if push came to shove. Separation of MAC and Signature structures makes it easier to discuss the security properties. Schaad believes that the IoT world will most likely use MACs more than Signatures. Use of a single encryption structure simplifies code, which is important to much of the IoT world. This simplification also allows a future change from a composite algorithm specification to a Chinese menu system. Schaad wants to move the Auth Tag into the CipherText to obtain a decrease in output size and simplify IV handling. For cleanness of design, the proposal separates unauthenticated and authenticated attributes (JOSE header parameters) into two layers. Some changes that have been requested: 1) AES-CCM-8, 2) HIP work on AES that uses only AES encryption for most operations. There was a fair amount of interest on working on COSE, although few could commit to reviewing documents by Easter. Kathleen Moriarty would like this work to be started ASAP ? ACE and RADEXT both have expressed need for it. A new WG and mailing list would probably be best to get the best exposure and appropriate participation. There are two COSE proposals: Schaad?s has more changes to JOSE than Bormann?s. Phil Hallam-Baker has an alternate proposal for a compact representation that would be within scope of the JOSE WG ? he feels that fundamental errors in the path that JOSE took have made COSE appear attractive. He will post a draft that shows how he thinks things should be done. Joe Hildebrand thinks that greater use of CBOR idioms would also be a helpful approach. Mike Jones has read both drafts and likes elements of each, but he prefers Bormann?s draft but applying Schaad?s array changes. However, a meta discussion about what changes to JOSE are to be entertained should be held upfront rather than relitigating each decision throughout the process. Matt Miller would like to see the key management model unified and he is concerned about rushing to finish things and then finding that fundamental fixes are needed. Martin Thompson would prefer to focus on transformations and encodings, not reopening discussions about what people wish JOSE had been. Mike Jones notes that some people do still want detached payloads, which can be done with either proposal. A new mailing list for COSE will be spun up immediately. A group of volunteers to generate a charter for a COSE WG includes many of the usual suspects from JOSE. Separately, discussions of things that should be fixed in JOSE can be held on the JOSE mailing list. A COSE WG could probably be created in time for the Prague IETF meeting in July. Mike Jones noted that the meeting materials has a PDF he created to discuss Key Managed JSON Web Signature. He thinks takeaways in the presentation could influence the COSE exercise, and he asks the JOSE WG to take a look at it. Phil Hallam-Baker mentioned one of his drafts (missed details and draft name). Something about not using base64. Mike Jones favors something like this and feels that it is a JOSE extension. Any such extensions need to be discussed on the mailing list quickly lest the WG shut down before they are given considerations.